APAR status
Closed as program error.
Error description
External Symptoms When using the KeyTool command, the command fails right after the password is entered. It fails with a NullPointerException at com.ibm.crypto.tools.KeyTool.a(Unknown Source) at com.ibm.crypto.tools.KeyTool.a(Unknown Source) at com.ibm.crypto.tools.KeyTool.run(Unknown Source) at com.ibm.crypto.tools.KeyTool.main(Unknown Source) Additional Keywords KeyTool NPE Verification Steps Run with the below traces enabled: -J-Djava.security.auth.debug=all -J-Djavax.net.debug=true Within the trace output you will find: Cipher: (Thread[main,5,main]) Crypto Permission check failed Cipher: (Thread[main,5,main]) granted: (CryptoPermission * 128) Cipher: (Thread[main,5,main]) requesting: (CryptoPermission PBE 168) com.ibm.misc.Debug exception FINER: com.ibm.security.pkcs12.BasicPFX getBags java.security.InvalidKeyException: Illegal key size
Local fix
To fix this problem, there are 2 files found in your <JAVA_HOME>/demo/jce/policy-files/unrestricted directory that need to be copied into <JAVA_HOME>/lib/security The two files that need to be copied are US_export_policy.jar and local_policy.jar Be sure that the file permissions in the newly copied files are the same as the file permissions on the original files in <JAVA_HOME>/lib/security Contact Level 2 for interim fix.
Problem summary
issue 1- PKCS12 Key Stores across 1.4.2, 5.0, and 6.0 need to support certificates which are signed with MD5withRSA. issue 2- KeyTool has a NPE when creating a JKS keystore by an import from a P12 flat file with restricted policy files.
Problem conclusion
This defect will be fixed in: 5.0.0 SR11 6.0.0 SR6 1.4.2 SR13 FP2 . issue 1- The fix is to allow for additional types of signatures to be recognized in the 3 P12 keystore types. issue 2- The fix is to check whether the parsed certificates from the file creates a null array of certificates. . To obtain the fix: Install build 20090732 or later
Temporary fix
Comments
APAR Information
APAR number
IZ58170
Reported component name
SECURITY
Reported component ID
620700125
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-08-17
Closed date
2009-08-17
Last modified date
2009-08-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R600 PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020